Certificates missing for new users after upgrading to 2.4.3-RELEASE-p1

rostrander

We recently upgraded to 2.4.3-RELEASE-p1 .
When I add a new user and select create certificate, the resulting certificate is zero bytes and there is no key. Openvpn Client Export configuration reports server.crt missing. Any help would be appreciated.

rostrander

I get the below error when I try to add an internal certificate, seems like a related symptom:
The following input errors were detected:

openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line

rostrander

Seems to be the same issue here as well https://forum.netgate.com/topic/129341/error-creating-new-internal-certificate

jimp

What version did you upgrade from?

There could be a problem with your original CA. It's also possible there is a problem with your installation in general.

We have seen before where users that have customized some portions of pfSense incorrectly (e.g. just changing product_name to something other than pfSense without making other necessary changes). It could end up without a proper openssl configuration in this case which may lead to the errors you see.

rostrander

Thanks for the response. It was upgraded from the latest 2.3 release. We didn't customize pfsense, we purchased the commercial appliances from pfsense, now netgate. The product name changed from pfsense to netgate at least from the webui perspective.

jimp

The actual global declaration for $g['product_name'] is still pfSense even on Netgate devices, so it wouldn't be that.

Anything special about the way this system was installed? Did it use a custom disk layout or was it just a plain/stock install using the typical defaults? Or is it still running the original factory install, but updated?

rostrander

@jimp
It should be the original factory install with upgrade. That said, we DID have an issue running the upgrade with the primary set as a standby in a HA pair. A different issue I'd been meaning to look at. We were finally able to get it to upgrade by disabling CARP on the secondary system and upgrading while the primary was active...

jimp

OK. Next step is to check the OpenSSL config file. Try the following commands and compare the output.

: ls -l /usr/local/share/pfSense/ssl/openssl.cnf
-rw-r--r--  1 root  wheel  12017 May 29 13:09 /usr/local/share/pfSense/ssl/openssl.cnf
: ls -l /etc/ssl/openssl.cnf
-rw-r--r--  1 root  wheel  12017 Jul 23 10:22 /etc/ssl/openssl.cnf
: ls -l /usr/local/openssl/openssl.cnf 
lrwxr-xr-x  1 root  wheel  20 Jul 23 10:22 /usr/local/openssl/openssl.cnf -> /etc/ssl/openssl.cnf

Note that the copy under /usr/local/share/pfSense should be identical in size and content to the one in /etc/ssl/:

: sha256 /usr/local/share/pfSense/ssl/openssl.cnf
SHA256 (/usr/local/share/pfSense/ssl/openssl.cnf) = ab6e9dfea7b9b94848724f87abf5e1d58fe14c8ea48b13c92dea5d2f57364fd2
: sha256 /etc/ssl/openssl.cnf
SHA256 (/etc/ssl/openssl.cnf) = ab6e9dfea7b9b94848724f87abf5e1d58fe14c8ea48b13c92dea5d2f57364fd2

The above commands are from a 2.4.4 snapshot so the exact hash may be different on yours. It's OK so long as they match and are not zero bytes.

rostrander

@jimp
They seem to be different:

[2.4.3-RELEASE][ro@]/root: ls -l /usr/local/share/pfSense/ssl/openssl.cnf
-rw-r--r--  1 root  wheel  12017 May  9 10:43 /usr/local/share/pfSense/ssl/openssl.cnf
[2.4.3-RELEASE][ro@]/root: ls -l /etc/ssl/openssl.cnf
-rw-r--r--  1 root  wheel  10847 May 10 20:08 /etc/ssl/openssl.cnf
[2.4.3-RELEASE][ro@]/root: ls -l /usr/local/openssl/openssl.cnf
lrwxr-xr-x  1 root  wheel  28 May  3  2017 /usr/local/openssl/openssl.cnf -> ../../../etc/ssl/openssl.cnf
[2.4.3-RELEASE][ro@]/root: cd /usr/local/openssl/
[2.4.3-RELEASE][ro@]/usr/local/openssl: ls -l ../../../etc/ssl/openssl.cnf
-rw-r--r--  1 root  wheel  10847 May 10 20:08 ../../../etc/ssl/openssl.cnf

rostrander

[2.4.3-RELEASE][ro]/usr/local/openssl: diff /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf
12,15d11
< # pfSense: default SAN value if $ENV::SAN is not defined
< #
< SAN			=
<
23c19
< # extensions		=
---
> # extensions		=
36,38c32,34
< # tsa_policy1 = 1.2.3.4.1
< # tsa_policy2 = 1.2.3.4.5.6
< # tsa_policy3 = 1.2.3.4.5.7
---
> tsa_policy1 = 1.2.3.4.1
> tsa_policy2 = 1.2.3.4.5.6
> tsa_policy3 = 1.2.3.4.5.7
57c53
< #crlnumber	= $dir/crlnumber	# the current crl number
---
> crlnumber	= $dir/crlnumber	# the current crl number
76c72
< crl_extensions	= crl_ext
---
> # crl_extensions	= crl_ext
111d106
< prompt			= no
122c117
< # This sets a mask for permitted string types. There are several options.
---
> # This sets a mask for permitted string types. There are several options.
129c124
< string_mask = nombstr
---
> string_mask = utf8only
131c126
< req_extensions = v3_req # The extensions to add to a certificate request
---
> # req_extensions = v3_req # The extensions to add to a certificate request
134,137c129,132
< countryName			= US
< #countryName_default		= AU
< #countryName_min			= 2
< #countryName_max			= 2
---
> countryName			= Country Name (2 letter code)
> countryName_default		= AU
> countryName_min			= 2
> countryName_max			= 2
139,140c134,135
< stateOrProvinceName		= Some-State
< #stateOrProvinceName_default	= Some-State
---
> stateOrProvinceName		= State or Province Name (full name)
> stateOrProvinceName_default	= Some-State
142c137
< localityName			= Somecity
---
> localityName			= Locality Name (eg, city)
144,145c139,140
< 0.organizationName		= CompanyName
< #0.organizationName_default	= Internet Widgits Pty Ltd
---
> 0.organizationName		= Organization Name (eg, company)
> 0.organizationName_default	= Internet Widgits Pty Ltd
155c150
< #commonName_max			= 64
---
> commonName_max			= 64
158c153
< #emailAddress_max		= 64
---
> emailAddress_max		= 64
164,165c159,160
< #challengePassword_min		= 4
< #challengePassword_max		= 20
---
> challengePassword_min		= 4
> challengePassword_max		= 20
171,250c166,216
< basicConstraints		= CA:FALSE
< keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated User Certificate"
< subjectKeyIdentifier		= hash
< authorityKeyIdentifier		= keyid,issuer:always
< extendedKeyUsage		= clientAuth
<
< [ usr_cert_san ]
<
< # copy of [ usr_cert ] plus nonempty Subject Alternative Names
< basicConstraints		= CA:FALSE
< keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated User Certificate"
< subjectKeyIdentifier		= hash
< authorityKeyIdentifier		= keyid,issuer:always
< extendedKeyUsage		= clientAuth
< subjectAltName			= $ENV::SAN
<
< [ server ]
<
< # Make a cert with nsCertType=server
< basicConstraints		= CA:FALSE
< nsCertType			= server
< keyUsage			= digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated Server Certificate"
< subjectKeyIdentifier		= hash
< authorityKeyIdentifier		= keyid,issuer:always
< extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
<
< [ server_san ]
<
< # copy of [ server ] plus nonempty Subject Alternative Names
< basicConstraints		= CA:FALSE
< nsCertType			= server
< keyUsage			= digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated Server Certificate"
< subjectKeyIdentifier		= hash
< authorityKeyIdentifier		= keyid,issuer:always
< extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
< subjectAltName			= $ENV::SAN
<
< [ req_usr_cert ]
<
< # Copy of [ usr_cert ] for CSR
< basicConstraints		= CA:FALSE
< keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated User Certificate"
< subjectKeyIdentifier		= hash
< extendedKeyUsage		= clientAuth
<
< [ req_usr_cert_san ]
<
< # Copy of [ usr_cert_san ] for CSR
< basicConstraints		= CA:FALSE
< keyUsage			= nonRepudiation, digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated User Certificate"
< subjectKeyIdentifier		= hash
< extendedKeyUsage		= clientAuth
< subjectAltName			= $ENV::SAN
<
< [ req_server ]
<
< # Copy of [ server ] for CSR
< basicConstraints		= CA:FALSE
< nsCertType			= server
< keyUsage			= digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated Server Certificate"
< subjectKeyIdentifier		= hash
< extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
<
< [ req_server_san ]
<
< # Copy of [ server_san ] for CSR
< basicConstraints		= CA:FALSE
< nsCertType			= server
< keyUsage			= digitalSignature, keyEncipherment
< nsComment			= "OpenSSL Generated Server Certificate"
< subjectKeyIdentifier		= hash
< extendedKeyUsage		= serverAuth,1.3.6.1.5.5.8.2.2
< subjectAltName			= $ENV::SAN
---
> # These extensions are added when 'ca' signs a request.
>
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
>
> basicConstraints=CA:FALSE
>
> # Here are some examples of the usage of nsCertType. If it is omitted
> # the certificate can be used for anything *except* object signing.
>
> # This is OK for an SSL server.
> # nsCertType			= server
>
> # For an object signing certificate this would be used.
> # nsCertType = objsign
>
> # For normal client use this is typical
> # nsCertType = client, email
>
> # and for everything including object signing:
> # nsCertType = client, email, objsign
>
> # This is typical in keyUsage for a client certificate.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> # This will be displayed in Netscape's comment listbox.
> nsComment			= "OpenSSL Generated Certificate"
>
> # PKIX recommendations harmless if included in all certificates.
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
>
> # This stuff is for subjectAltName and issuerAltname.
> # Import the email address.
> # subjectAltName=email:copy
> # An alternative to produce certificates that aren't
> # deprecated according to PKIX.
> # subjectAltName=email:move
>
> # Copy subject details
> # issuerAltName=issuer:copy
>
> #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
> #nsBaseUrl
> #nsRevocationUrl
> #nsRenewalUrl
> #nsCaPolicyUrl
> #nsSslServerName
>
> # This is required for TSA certificates.
> # extendedKeyUsage = critical,timeStamping
259d224
<
261a227
>
269c235
< authorityKeyIdentifier=keyid:always,issuer:always
---
> authorityKeyIdentifier=keyid:always,issuer
280c246
< keyUsage = cRLSign, keyCertSign
---
> # keyUsage = cRLSign, keyCertSign
296,303d261
< [ v3_ca_san ]
<
< # copy of [ v3_ca ] plus nonempty Subject Alternative Names
< subjectKeyIdentifier=hash
< authorityKeyIdentifier=keyid:always,issuer:always
< basicConstraints=CA:true
< subjectAltName=$ENV::SAN
<
310c268
< authorityKeyIdentifier=keyid:always,issuer:always
---
> authorityKeyIdentifier=keyid:always

rostrander

Seem to have fixed it by copying it over:
cp /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf
THANK YOU

jimp

Well, that solves why it wasn't generating the certificates, but not why that copy didn't happen when it should. That should be done at every boot automatically, and for some reason it didn't happen for you. It should be OK between reboots, but you may want to confirm that for certain. Upgrades may also be questionable there, but that harder to confirm since we haven't changed that file in a while.

rostrander

Yes, related to the(reverse NAT?) issue with upgrading the standby; the first attempt at upgrading did not complete before timing out. I believe I got a "upgrade already in progress" when I ran a subsequent upgrade from shell and then wound up rebooting...